EDRSilencer: uses WFP to block EDR agents from reporting security events to the server

EDRSilencer

Inspired by the closed-source FireBlock tool FireBlock from MdSec NightHawk, I created my version. This tool was created to block the outbound traffic of running EDR processes using Windows Filtering Platform (WFP) APIs.

This tool offers the following features:

• Search known running EDR processes and add WFP filter to block its outbound traffic
• Add WFP filter for a specific process
• Remove all WFP filters created by this tool
• Remove a specific WFP filter by filter id
• Support to run in C2 with in-memory PE execution module (e.g., BruteRatel's memexec)

The tool currently supports the following EDRs:

• Microsoft Defender for Endpoint and Microsoft Defender Antivirus
• Elastic EDR
• Trellix EDR
• Qualys EDR
• SentinelOne
• Cylance
• Cybereason
• Carbon Black EDR
• Carbon Black Cloud
• Tanium
• Palo Alto Networks Traps/Cortex XDR
• FortiEDR
• Cisco Secure Endpoint (Formerly Cisco AMP)

Use

Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>
– Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:
EDRSilencer.exe blockedr

– Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):
EDRSilencer.exe block “C:\Windows\System32\curl.exe”

– Remove all WFP filters applied by this tool:
EDRSilencer.exe unblockall

– Remove a specific WFP filter based on filter id:
EDRSilencer.exe unblock <filter id>

Example

Detect and block the outbound traffic of running EDR processes

EDRSilencer.exe blocked

Download

Copyright (c) 2023 Chris Au